Integrating hotel systems can create hacking liabilities

Integration. It’s one of the industry’s biggest buzzwords for streamlining operations. With everything on property collecting data and providing options for interaction, wouldn’t it be nice if every device collaborated? It’s the dream of many operators to have a property that is running fully in-sync, but Shaun Murphy, communications security expert, inventor, CEO and co-founder of communications app SNDR, said the persistent threat of data breaches may be reason enough to question which devices on property are working in tandem.

“During a breach, the worst-case scenario is that all your systems are integrated,” Murphy said. “From your point of sale to your soda machine, at that point you are losing not only financial information, which you have to disclose, but other confidential information as well.”

The sale of personal information is a big business online, particularly as credit card security grows more sophisticated. It may seem like peanuts to hotel operators, but data thieves are very interested in your guests’ personal lives, including what movies they are watching, the names of their pets, where they went to high school, their movements throughout the day and, of course, purchase decisions. Hackers can use this information to enter social media accounts to take even more information, or use what they already know to access bank accounts. What’s more, while a bank can refund stolen cash, it’s much harder to erase personal information from the internet.

Mediterranean Resort & Hotel Real Estate Forum

Experience the Opportunities in Mediterranean Resort Investment | 17–19 October 2018

Join 300 of your industry peers at the 4th annual MR&H in Athens, Greece, to experience exclusive investment and development opportunities available in the Mediterranean.

“If it comes out that [hackers] had leaked intimate information outside of credit card data, that will result in significant brand damage,” Murphy said. “Every major brand and hotel needs to take cyber security seriously. You don’t just spend some money on PR and it goes away; it’s a lasting effect.”

In order to avoid the lasting stain of a breach, Murphy recommends spending a fraction of what you would lose up front on training on physical security and malware. Some hackers are fond of dropping attractive USB sticks infected with malware in high-traffic areas, giving them access to any computer they are plugged into. It’s simple training to keep employees from plugging in unknown devices, but it could save your property millions of dollars and a horde of upset guests (who may be upset with, for example, failing to disclose you have been hacked at all). Other tips include complicated passwords and keeping up with frequent system updates.

“Hackers face challenges with authentication, but they are happiest when they can trick an employee into providing them access,” Murphy said.

Front-desk associates are trained to be helpful, and data thieves are quick to take advantage.

In addition, investing in new chip-based credit-card readers is now a must. Data thieves are experts at stealing information off of magstripe keys, something that came to a head in early August when an inventor unveiled a device capable of cloning guestroom keycards and scamming POS systems, all using magstripe data. While much of the hospitality industry is moving away from this technology, there are still some that are slow to upgrade, and Murphy said they have a big target on their backs.

“New systems like Google Play and chip-based cards are very secure,” Murphy said. “Once you implement a digital wallet hackers can’t do much, but hotels are one of the last places they can go to get information from en masse. When you are on the road or in a hotel, they often aren’t looking at their bank information every day. Charges get ignored. These travelers are susceptible to hacks.”

Because financial information is still the bread and butter of data crime, POS systems need to be upgraded to the most recent technology as soon as possible. But it doesn’t stop there. Any vending machine with credit-card swipe access should have more than default security, as well as the latest patches.

“It sounds crazy, but if you aren’t upgraded to the latest operating system, it’s a big deal,” Murphy said.

Keeping your systems up to date can sometimes feel like a full-time job.

All of this sounds like scare tactics to keep your hotel from integrating its technology, but Murphy said that instead a hotel should acknowledge that not everything on property needs to be communicating with everything else. For example, a guest-facing computer terminal providing internet access in the lobby should by no means have access to any POS systems, and if possible should be physically separated from the local network. And if integration is your goal, research heavily and choose your vendor wisely.

“Having integrated solutions can be a good thing if it makes sense. A computer in the lobby playing a video doesn’t need to have internet access,” Murphy said. “Also, pick a vendor and look at what they have to say about security. It goes a long way. If it’s not just a feature set, it’s a red flag. Also investigate their history, because they need to have a track record.”